[Python-ideas] Security: remove "." from sys.path?

[Gregory P. Smith]

On Mon, Jun 5, 2017 at 10:52 AM Chris Barker <chris.barker at noaa.gov> wrote:

> On Mon, Jun 5, 2017 at 3:55 AM, Victor Stinner <victor.stinner at gmail.com>
> wrote:
>
>> A minimum change would be to add the (empty string) at the end of
>> sys.path in Python 3.7 rather than adding it at the start.
>>
>> It would increase Python usability since it avoids the "random has no
>> randint() function" caused by a random.py file in the script directory. In
>> my experience, this bug hits every developers starting to learn Python and
>> it can be very strange when you get the error when trying to run IDLE.
>>
>
> But it would add the "why won't python import my file?!??!" problem, which
> newbies also struggle with.
>
> Which leaves me with no suggestion for a solution...
>

We already got rid of implicit relative imports within packages in Python
3. The primary value in continuing to treat the __main__ module differently
is simplicity for learners.

If the problem we're trying to solve (really - that needs to be nailed
down) is that of overriding standard library modules with your own .py
files being an issue (it is! it comes up time and time again)...  This
simple move from beginning to end is the right way to do it.  It does not
remove implicit relative imports for the main module but does remove
implicit stdlib shadowing. which is something nobody ever wants.  and when
they do want that unwantable thing, they should be explicit about it
instead of relying on magic that depends on code being executed as __main__
vs imported as a module from elsewhere.

+0.667 on moving the empty string to the end of sys.path in 3.7 from me.

-gps
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-ideas/attachments/20170605/33cde92b/attachment.html>